Help with proxy settings please

Phil Mayers p.mayers at imperial.ac.uk
Thu Jan 12 17:22:44 CET 2012 

On 01/12/2012 04:08 PM, lmgo5991 wrote:
> Hi Phil,
>
> Thanks for you quick response.  Just to clarify what we have succeeded in t=
> o date:
>
> 1.      Install Samba done
>    2. Join Samba to the domain done
>    3. Start winbind done
>    4. Configure FreeRADIUS to use ntlm_auth to check MSCHAP against the
> AD controllers done
> After finding the updated changes for fr v2 we ran the radius -X are are no=
> w receiving the following:-
>
>
> rad_recv: Access-Request packet from host 10.1.5.4 port 32768, id=3D193, le=
> ngth=3D256
>          User-Name =3D "radldapuser at gcu.ac.uk"
>          Calling-Station-Id =3D "00:24:2c:7a:d8:7d"
>          Called-Station-Id =3D "00:26:cb:80:33:20:eduroam"
>          NAS-Port =3D 29
>          Cisco-AVPair =3D "audit-session-id=3D0a0105040000026d4f0f0224"
>          NAS-IP-Address =3D 10.1.5.4
>          NAS-Identifier =3D "CLIC_WiSM_A"
>          Airespace-Wlan-Id =3D 9
>          Service-Type =3D Framed-User
>          Framed-MTU =3D 1300
>          NAS-Port-Type =3D Wireless-802.11
>          Tunnel-Type:0 =3D VLAN
>          Tunnel-Medium-Type:0 =3D IEEE-802
>          Tunnel-Private-Group-Id:0 =3D "914"
>          EAP-Message =3D 0x0202001a017261646c64617075736572406763752e61632e7=
> 56b
>          Message-Authenticator =3D 0x569f3fe4b0f6cc0bacb1451b037bb5e3
> # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/=
> default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] Looking up realm "gcu.ac.uk" for User-Name =3D "radldapuser at gcu.ac=
> .uk"
> [suffix] Found realm "GCU.AC.UK"
> [suffix] Adding Stripped-User-Name =3D "radldapuser"
> [suffix] Adding Realm =3D "GCU.AC.UK"
> [suffix] Proxying request from user radldapuser to realm GCU.AC.UK
> [suffix] Preparing to proxy authentication request to realm "GCU.AC.UK"
> ++[suffix] returns updated
> [eap] Request is supposed to be proxied to Realm GCU.AC.UK.  Not doing EAP.
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
>    WARNING: Empty pre-proxy section.  Using default return values.
> Sending Access-Request of id 98 to 10.1.1.78 port 1812

This is a completely different config, behaving completely differently 
to your previous post. Now, you are proxying everything to an external 
server.

The proxy destination:

10.1.1.78

...isn't responding, which is why it isn't working.

>
> We are trying to locate where we would reference our internal AD within eit=
> her proxy.conf and/or clients.conf. or should ntlm do this automatically...=
> ..

I think you have made a fundamental misunderstanding.

If you are proxying a request, you are sending it to a different radius 
server. You don't "reference your AD servers" or use ntlm.

If you are proxying, the destination radius server does all the work.

What do you want to do here? Proxy, or authenticate? You can't do both.

If you want to authenticate, don't proxy. If you want to proxy, make the 
proxy destination reply.

More information about the Freeradius-Users mailing list